Data security risks are clear; and organisations are vulnerable
It goes without saying that data security is more important than ever. 2020 has already seen some notable data breaches–10.6 million MGM Resorts customers had sensitive information stolen, and the U.S. Defense Information Systems Agency revealed that its network had been compromised.
The risks are clear – and individuals and organizations alike are vulnerable.
Governments around the world have taken notice of the risks and have sprung into action to protect consumers. The EU introduced the General Data Protection Regulation, better known as GDPR, in 2018. This legislation details some of the world’s most stringent digital privacy protections (and penalties for those who violate them) and affects not just EU member states, but any company that conducts business with EU consumers. In the U.S., the California Consumer Privacy Act (CCPA) went into effect this year. This act drastically extended consumers’ rights to access, delete and control the sharing of their personal data.
However, reducing data security risks is a much bigger umbrella than giving consumers more control over their data. Companies must also create effective policies and procedures to manage what happens to the data stored on their retired technology assets.
Data security risks inherent to technology retirement
Data breaches and increased data security risks can sometimes be traced back to the mishandling of retired technology assets. There are a few key challenges to consider, including:
Idle end-of-life IT assets
A recent study by Blancco found that two in five organizations spend more than $100,000 per year to store unused technology hardware. Additionally, 18% of the study recipients have left devices somewhere on the premises with no plan of action for asset disposition. These idle devices can pose real risks, as many still have sensitive data on them. Furthermore, they are not often inventoried; thus, the opportunity for them to go missing is relatively high.
Inappropriate data destruction methods
Some companies don’t have a clear audit trail or chain of custody when it comes to data sanitization. This typically includes a detailed process that shows clear handoff points that are documented and audited against. Without these compliance and security measures in place, there’s no way to track assets throughout the various phases of the asset disposition process, including transportation to destruction facilities.
Too much reliance on reformatting
Many companies still believe in disk reformatting as a primary protection against data breaches. However, reformatting doesn’t completely erase data from end-of-life devices. In fact, data recovery software can be used to recover deleted info.
Use of the same procedures for SSDs and HDDs
Another common misconception among 20% of global enterprises is that solid-state drives (SSDs) and hard disk drives (HDDs) can be wiped the same way. SSDs store data on interconnected flash-memory chips that retain data even when there’s no power. They are more complex to wipe or physically destroy, and standard HDD procedures aren’t thorough enough to do the job.
While the decision to physically destroy an asset is different for every company, the destruction should be handled by a certified partner who understands how to compliantly destroy it. There are security and environmental risks to consider, including shred sizes, hazardous materials, employee health/safety issues and transboundary movement; these risks often require an experienced partner to effectively manage them. And then there are the economics of destroying assets; companies spend an estimated $1.7 million per year destroying devices in-house, according to the Blancco study.
TES is entrusted by OEMs and Global 2000 organizations to address these challenges in our 38 owned locations around the world. TES handles all logistics services, asset tracking, secure data sanitization, testing/refurbishment, remarketing and recycling; all of these are supported by detailed reporting designed to meet the most stringent requirements. Our data sanitization procedures are conducted in accordance with the NIST 800-88.R1 standard, which is recognized as the current standard used by governments and companies globally. Beyond that standard, we also do process audits and use outside third-party auditors to ensure 100% compliance. We leave nothing to chance when it comes to safeguarding data and the integrity of our processes.
TES can help your organization avoid costly pitfalls and legal liabilities during the asset disposition process. We can ensure that your technology assets are processed safely, in compliance with all global regulations and in a way that’s environmentally friendly while still maximizing value recovery.